How to disable directory listing in Apache

Apache can display directory contents when no default index file is found, such as index.html or index.php, as managed by the mod_autoindex module. This behavior can expose internal file structures and pose security risks by revealing sensitive or critical information.

Common default index files include index.html, index.htm, index.php, and welcome.html, all configured by the DirectoryIndex directive in the server configuration. Restricting directory browsing is often an essential step to protect data on production servers and shared hosting environments.

Disabling directory listings ensures unauthorized users cannot view the contents of directories. This approach mitigates accidental information disclosure and strengthens overall security without disrupting other core functions of Apache.

For those using platforms like cPanel, there are platform-specific methods to disable Apache's directory listing.

To disable directory listing globally across all sites hosted on your server, deactivate the mod_autoindex module. This method ensures that no directory listings are displayed, regardless of the directory or site.

1. Launch your preferred terminal application.
2. Disable autoindex module for Apache.

   $ sudo a2dismod --force autoindex # Ubuntu, Debian and SUSE
   Module autoindex disabled.
   To activate the new configuration, you need to run:
     systemctl restart apache2

   • Distributions with a2dismod support can simply run the command above without having to manually disable the required modules.
   • LoadModule directive for the corresponding autoindex module need to be manually disabled by removing or commenting (by adding # at the beginning) the line in the configuration file.

   Related: How to enable or disable Apache modules

   Options	Debian, Ubuntu	openSUSE and SLES	Fedora Core, CentOS, RHEL	macOS	homebrew	xampp
   a2dismod support	yes	yes	no	no	no	no
   Modules to uninstall	none
   Module name	n/a		autoindex
   Loadmodule directive	n/a		#LoadModule autoindex_module <module_locations>/mod_autoindex.so

3. Restart Apache for the changes to take effect.

   Related: How to manage the Apache web server service

To disable directory listing for specific directories, modify the Options directive in the Apache configuration file. This method allows more granular control over which directories have directory listing disabled.

1. Open Apache's configuration file using your preferred text editor.

   $ sudo vi /etc/apache2/other/mysite.conf

   The configuration could be set globally or from within VirtualHost configuration.

   Related: Location for Apache VirtualHost configuration files

2. Find the Options line within the Directory blockock.

   <Directory /var/www/mysite>
       Options Indexes FollowSymLinks
   </Directory>

3. Remove Indexes option or add -Indexes to Options directive.

   <Directory /var/www/mysite>
       Options -Indexes FollowSymLinks
   </Directory>

   Notice that it's -Indexes and not +Indexes

4. Save and exit the editor
5. Restart the Apache service to apply changes.

   Related: How to manage the Apache web server service

If you lack root access or prefer to control directory listing for specific directories, use the .htaccess file. This method is ideal for shared hosting environments where you want to restrict directory listings without affecting other sites.

1. Navigate to the directory where you want to disable directory listing.
2. Open or create .htaccess file on the directory using your preferred text editor.

   $ sudo vi /var/www/mysite/.htaccess

3. Add -Indexes to Options directive in the .htaccess file.

   Options -Indexes

   Ensure that the Apache configuration allows the use of .htaccess files by checking the AllowOverride directive is set to All or at least Options for the relevant directory.

4. Save and exit the editor.
5. Restart Apache to apply the changes.

   $ sudo systemctl restart apache2

   Related: How to manage the Apache web server service